Am 9. November 2015 19:36:06 GMT+00:00, schrieb Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>: >On Mon, 9 Nov 2015, Patrick McHardy wrote: > >> Basically the idea is: >> >> * don't mark the first SYN untracked and have it create a conntrack >as normal >> * direct that SYN to synproxy >> * mark the connection as proxied, which will avoid setting the >ASSURED bit when >> receiving our spoofed reply >> * only set assured once we have the connection fully established >> >> This would create a conntrack, but keep it evictable under pressure. >So the >> cost would be ct set up, but we could tear it down at any point when >we're >> under pressure. The synproxy target can handle both connections with >and >> without a conntrack. >[...] >> The ct state rule could actually be created automatically since it is >a >> dependency. >[...] >> The method of using notrack would of course still be possible. > >I like the idea: the notrack method would still be supported and the >"do >conntrack but with safety-net" way would be possible too. Looks cool! Thanks Jozsef. I'm thinking it's the best of both worlds myself. Implementation should be quite easy, I'll give it a try. > >Best regards, >Jozsef >- >E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx >PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt >Address : Wigner Research Centre for Physics, Hungarian Academy of >Sciences > H-1525 Budapest 114, POB. 49, Hungary -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
